Skip to main content

Operator dossier

coinbasecartel (also tracked as coinbase cartel) is a ransomware operator currently active on public leak sites. Darkfield has indexed 188 public victims claimed by this operator between September 15, 2025 and July 14, 2026. CoinbaseCartel is a ransomware group that emerged in September 2025 with financially motivated operations targeting organizations across multiple sectors and geographic regions. The group has demonstrated significant activity in a short timeframe, compromising at least 102 known victims primarily across the United States, United Arab Emirates, Germany, Canada, and Brazil. Their targeting patterns show a preference for technology companies, financial services organizations, manufacturing entities, and consumer services businesses, suggesting an opportunistic approach focused on organizations likely to have both valuable data and the financial resources to pay ransoms. Given the group's recent emergence and limited public documentation from established threat intelligence sources, details regarding their specific attack methodologies, infrastructure, and organizational structure remain largely unconfirmed by major cybersecurity firms or law enforcement agencies. The group appears to maintain active operations as of late 2025, though comprehensive analysis of their tactics, techniques, and procedures awaits further investigation and reporting by established threat intelligence organizations.

Most-targeted sectors

Most-affected countries

Recent disclosures by coinbasecartel

Most recent 150 of 188 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for coinbasecartel

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

coinbasecartel

aka coinbase cartel · 188 victims indexed · first seen 10 months ago · last activity 13 hours ago

188
Victims indexed
#42 of 364 tracked operators
10m
Active period
Sep 2025 → Jul 2026
10
Countries hit
top US · 28

At a glance

Status
active
Aliases
coinbase cartel
First seen
10 months ago
Last activity
13 hours ago
Onion sites
1 known endpoint
Primary sector
Technology · 29 hits

About

CoinbaseCartel is a ransomware group that emerged in September 2025 with financially motivated operations targeting organizations across multiple sectors and geographic regions. The group has demonstrated significant activity in a short timeframe, compromising at least 102 known victims primarily across the United States, United Arab Emirates, Germany, Canada, and Brazil. Their targeting patterns show a preference for technology companies, financial services organizations, manufacturing entities, and consumer services businesses, suggesting an opportunistic approach focused on organizations likely to have both valuable data and the financial resources to pay ransoms. Given the group's recent emergence and limited public documentation from established threat intelligence sources, details regarding their specific attack methodologies, infrastructure, and organizational structure remain largely unconfirmed by major cybersecurity firms or law enforcement agencies. The group appears to maintain active operations as of late 2025, though comprehensive analysis of their tactics, techniques, and procedures awaits further investigation and reporting by established threat intelligence organizations.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

7 months
2025-09-01T00:00:00+00:00 · 142025-10-01T00:00:00+00:00 · 142025-11-01T00:00:00+00:00 · 132025-12-01T00:00:00+00:00 · 222026-01-01T00:00:00+00:00 · 82026-02-01T00:00:00+00:00 · 112026-03-01T00:00:00+00:00 · 20
2025-09-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
28
🇦🇪 United Arab Emirates
11
🇩🇪 Germany
8
🇨🇦 Canada
6
🇫🇷 France
4
🇧🇷 Brazil
4
🇰🇷 South Korea
3
🇮🇹 Italy
3

Top sectors

Technology
29
Financial Services
8
Manufacturing
8
Consumer Services
8
Transportation/Logistics
8
Business Services
5
Energy
4
Telecommunication
3

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion

Source

Updated 13 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time coinbasecartel posts a victim.

Add coinbasecartel to your watchlist — Pro pings you within 5 minutes of any new coinbasecartel leak-site post, Telegram callout, or affiliate-rebrand inference.